He further identified his target as “nameless, unreasoning, unjustified terror.” He spoke early in 1933, during the darkest days of the American depression, when millions were out of work, no safety nets existed to help them, and there was no recovery in sight. What’s more, the specter of European Nazism, with its saber rattling, and strident, irrational racism, was waxing. In the face of these actual reasons to be afraid, Roosevelt fingered the real danger: irrational fear; fear for its own sake; being afraid simply because it’s easier than not being afraid.

Largely, the nation heeded Roosevelt’s admonition. We refused to succumb to fear, the economy recovered, we vanquished our foes, and emerged as the world leader for the rest of the 20th century.

Unfortunately, in the 21st century, we have quite failed Roosevelt. We have become a terrified nation and live in a culture of fear. We act afraid and we let baseless fear drive our choices. Mutual trust is the basis of civilization, and our nameless, unreasoning, unjustified terror is unraveling the fabric of our society.

You can see the telltale traces of our fear everywhere. Everything we buy comes with voluminous safety instructions exhaustively detailing how it all might conspire to hurt us. The panoply of products and services with which we surround ourselves collectively laugh at our foolish anxiety. Every product we own is plastered with scary warning labels exhorting us to not act like an imbecile or we might suffer.

All of our cars have utterly useless alarms on them. They go off accidentally and annoy entire neighborhoods, but they don’t deter professional car thieves.

Our roads are lined with warning signs telling us to be careful even though such signs not only don’t work, but are dangerously distracting.

Even though violent crime is way down our mass media over-hypes every crime into an epidemic, every mugging into a crime wave.

Our airport security strips us of all dignity while performing its useless charade of frightening cowardice.

But that isn’t what I want to talk about. I want to talk about passwords. More specifically, I want to talk about hiding passwords with asterisks when we have to enter them on websites.

Our software programs conceal our passwords with coy little asterisks and our trust in each other erodes. We begin to suspect our co-workers, fellow transit riders, and even our family members of trying to steal our identities. It is another palpable example of nameless, unreasoning, unjustified terror, and this one is right in the backyard of interaction designers.

I have no complaint against passwords. They are useful tools to protect our data and our online accounts. It’s just that software should not hide my passwords from me, and only in extremely rare cases does it need to hide them at all.

The only reason why passwords are hidden is because we have become a nation of terrified little mice, riddled with chickenhearted fear, suspicious of every innocent shadow. Every time a website conceals a password from the person who is entering it, we witness a small victory for fear itself, and a minute but very real rip in the fabric of our society.

While identity theft is a real problem, there is abundant evidence that it comes from institutional sources: from hackers breaking in to corporate databases or from gross security leaks on a mass scale. I have seen no evidence whatsoever that individuals are stealing passwords by over-the-shoulder spying.

Recently there’s been a long discussion on the IxDA list regarding the proper way to conceal passwords. Some brave voices have suggested that concealment may not be necessary. They are far outnumbered by those who mindlessly accept that fear itself must triumph and everyone is out to steal your Amazon account and crack into your tweet stream. Bah!

I’ve been trying to imagine a scenario where passwords really need to be concealed. I couldn’t imagine one. I thought of a few, but they were all based on the assumption that people mostly stood around, waiting to catch a glimpse of my password so that they could...what? Send me spam? Post embarrassing pictures of me on Facebook? I’ve got news for them: That train has left the station!

One of my colleagues suggested that entering a password during a presentation would unnecessarily reveal your password to the audience. While I can’t argue with the specific case, as an interaction designer it bothers me. What kind of messed up software would force a person to enter a password at the start of a public presentation? What kind of badly designed software would not allow the user to request that his password be concealed just this one time?

And anyway, what would happen if the audience did see your password? It takes far more courage to show your vulnerabilities than it does to conceal them. Showing your strength in this way is a better deterrent to petty crime than any defensive measure is. If you doubt this, ask any police officer.

In my 1999 book, The Inmates are Running the Asylum, I point out that remote alarm buttons on automobile keyfobs are an utterly unnecessary feature that surely had its roots in some engineer saying, “Hey! Look what I can do!” Thereafter, every remote entry fob has had to have the alarm button so as to not appear to have a deficient feature list. I have no doubt that the asterisk-covered characters in a password field had identical origins. Some engineer figured out a clever way to subclass a text entry field to put the moral equivalent of tailfins on his program, and ever since then others have been following suit to not appear deficient.

Normally, such mindless behavior would disgust me, but in this case it angers me, too. Because it isn’t just simple bad interaction design, but it is a bold assertion of that nameless, unreasoning, unjustified terror of which Roosevelt warned. It is another tiny crack in the wall that keeps us from barbarianism. Every time you put a concealed-password field on your website, you degrade our society, debase our culture, and demonstrate your irrational fear; your fear of fear itself.

11 Comments

Dorian TaylorSep 13, 2011

Schneier had some good points on this issue. I submit as well that a password isn't the only authentication mechanism in the world and we should (and I do) pay more attention to alternatives.

DaveSep 13, 2011

Bruce Schneier is one of the alpha-geeks of computer security. In addition to writing the seminal book on cryptography, he also coined the phrase "security theater." There was an interesting discussion on the pros and cons of password masking on his blog in 2009:
http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html
It's worth reading through the comments; many are well-reasoned and interesting. As for me, I don't think I've made up my mind yet on password masking. Though it has been a real tragedy to see the USA lose its claim to "the home of the free and the land of the brave" in the last ten years.

meagarSep 14, 2011

I was more or less on board until the 3rd last paragraph:

And anyway, what would happen if the audience did see your password? It takes far more courage to show your vulnerabilities than it does to conceal them. Showing your strength in this way is a better deterrent to petty crime than any defensive measure is. If you doubt this, ask any police officer.

This reads like a joke. It is just an incredibly silly thing to have said, but trying to back it up with "if you don't believe me, as a cop" lowers the bar way down into the realm of absurdity.
Are you really trying to say that we shouldn't worry about password security, that by showing off our passwords we'll somehow be better off? Why not publish all your passwords online, and tell the world "do your worst, you can't hurt me!" That would be the ultimate show of strength, right?

TomSep 14, 2011

I'm not sure I agree that password masking is universally bad. The merits of the practice are highly contextual, and in most cases represent small but important contexts of use for software systems that have use across many different contexts.
Take masking of ATM access codes as an exemplar. Despite the fact that we call them codes, they are passwords. And it is a known fact that crooks can and do 'stand around' trying to steal them. As a matter of fact, they go so far as to install cameras to record the information, etc. That's just one case - there are certainly others.
You might react by suggesting that this is an edge case - a very public use that is special. My response is that edge cases are, despite their rarity, still valid cases, especially when failures surrounding them have particularly dire consequences. Because software is used under heterogeneous conditions, you can't simply dismiss a security mechanism because you think it sucks in the privacy of your living room, or because you personally don't care if someone logs into your facebook page. There are legitimate contexts in which such a mechanism is valid, but any software used across contexts may alternately seem more or less fit.
Your stance on automobile key fob 'panic' buttons strikes me as quite similar; you seem to equate 'limited use' to 'useless' and I don't think that's a fair evaluation. I'm having a hard time understanding why the presence of a feature which may have a limited role is seen as 'poor usability', and certainly I don't see how it is evocative of unbridled fear. A woman who might happen to set one of these off while being approached by a stranger in a dark parking lot at night may in fact be afraid, but not unjustifiably so. Why, then, is providing a feature that appeals to her rather than to a macho guy like yourself somehow bad design or coweringly fearful?
Overall, I disagree with the examples you provide. I don't think password masking or key fobs are irrational and pointless, but I do agree that there may be other mechanisms which would be more useful.

Thomas TupperSep 14, 2011

Judging by the prolific twitterverse scrawling I'm seeing, I can see you do actually read these posts. ;-)
Let's be real for just a moment: What is your solution to a use case that exists in some contexts but not others? Password masking is arguably undesirable within the privacy of your own home. But there are cases where it is not only desirable, it is vital. How is a software system that is largely devoid of any mechanism for understanding contextual use supposed to adapt to the differing needs that derive from context?
I understand your pretty down on masking, but surely you must recognize it has merit in some contexts. Somehow I doubt, despite your extreme stance, that you would be so sanguine about it if it were the password to your banking account in question and the use context was a publicly viewable terminal (such as a web browser running in a hotel lobby, the back of an airplane seat, etc).
If you agree that there are some use contexts where masking makes sense, then what's your suggestion for how Facebook, for example, should approach making their password fields mask in public but not in private? That's the rub and that's why it is as it is - because the designers of these systems lack mechanisms for contextual awareness. Against that, you face a balancing act between the pros and cons, and the cons of compromised accounts, theft, etc. outweigh (in my opinion) the deleterious effect on usability that the mechanisms cause.
It's really easy to argue against something, but much harder to provide an alternative. I'm interested in your vision of the alternative.

OlliSep 17, 2011

On (an almost) off topic note, any european can tell you that the reason for all those warnings on any product is not to promote the fear of hurt but to abolish any possible lawsuits. Who is really afraid of spilling the takeaway coffee and how would the warning text help the matter? The warning texts are designed to dodge the responsibility that should not have been there in the first place.

Jared CaponiSep 20, 2011

Nielsen wrote a good piece on this topic a while back.
http://www.useit.com/alertbox/passwords.html

WakjobSep 20, 2011

Thanks for just wasting 15 minutes of my life I can never get back on utterly useless nonsense.

Drunken EconomistSep 21, 2011

Wow, a unique insight into why Windows security is just SO BAD. Do we really need easy buttons that much?
Remember kids, don't hate the platform, hate the "user experience" uh, person who had input into its making.
Do yourself a favor kids, NEVER hire 'user experience' folks if you're looking to make SECURE software. Or if they're on staff, DO NOT take their input very seriously.
-Drunky

Alex NOct 20, 2011

Nah, I'm not buying this theory. I see a very different kind of fear at play here.
The irony of the situation is that the second person using the concealed password field usually does not really care about your password (the guy who invented it did, and maybe rightly so). Like the airport security guy doesn't really care if you get hit by a car walking out of the building. What they do fear, though, is that something might happen on their watch that they will be blamed for. That's how this culture of _not taking any responsibility_ is created where you get features blindly copied from the competitor's products (so that they can't blame you if the product fails) and stupid signs erected (so they can't blame you if anything happens there). That's what we should really fear.

Mark StaffordFeb 21, 2012

Regarding your 9/13/2011 Culture of Fear post:
Y. Francis Fukuyama would agree: "Mutual trust is the basis of civilization, and our nameless, unreasoning, unjustified terror is unraveling the fabric of our society." He was a NeoCon, but went rogue after Rove/Cheney stoked this very insidious mechanism of fear. Little 'ol me couldn't agree more too. You've described my next business: nurturing mutual trust to strengthen the fabric of our society.
"Every time a website conceals a password from the person who is entering it, we witness a small victory for fear itself, and a minute but very real rip in the fabric of our society." Trend is important; pennies add up. Thanks for encouraging us all to pick up pennies, or rather not drop them in the first place.
Olli and Alex were more explicit in their reasoning: avoiding lawsuits is the causative culprit of idiot signage, which you accurately point out then provokes an increasing culture of fear. An obvious solution is torte reform. A less obvious one: engender a culture of individual responsibility, where participants find blame (and lessons) in themselves, examine their own culpability in their own circumstances, and diverge from the culture of Corporate America where liabilities are externalized (socialized costs, blame) and assets are internalized (privatized profits, accolades).
To affect this more thorough solution of cultural responsibility, our ancestors recommend children play with Earth, Wind, Water, Fire; then as adults they will likely make coherent decisions. Helicopter Parents don't allow their children to play with Fire, to emergently develop an intelligent and informed relationship with fire, fear, and other dangerous things.
So here we are, in extreme peril as a species, blaming the 1% for our own personal over-consumption and mistaken priorities. That will be pretty funny in a few hundred years.

Post a comment

Name

Email Address

Comments (Feel free to use basic HTML tags for style)

We’re trying to advance the conversation, and we trust that you will, too. We’d rather not moderate, but we will remove any comments that are blatantly inflammatory or inappropriate. Let it fly, but keep it clean. Thanks.